June 2016

A month after the Supreme Court’s much-anticipated decision in Spokeo, Inc. v. Robins, the aftershocks of the ruling have already rumbled through numerous district and appellate courts. As we previously discussed, the Supreme Court held in Spokeo that a plaintiff must show both particularized and concrete injury to establish standing under Article III. In so holding, the Court made clear that a concrete injury must be “real” and not merely “abstract,” and that a “bare procedural violation” of a statute would not suffice.

Some courts have already applied Spokeo to dismiss claims lacking sufficient allegations of concrete injury under the Supreme Court’s rationale. In Gubala v. Time Warner Cable, Inc., for example, where the plaintiff claimed that the defendant retained customers’ personal information in violation of the Cable Communications Policy Act, the Eastern District of Wisconsin invoked Spokeo to dismiss the plaintiff’s claims for lack of Article III standing. The court noted that the plaintiff had not alleged “disclos[ure of] his information to a third party,” or that he had been “contacted by marketers who obtained his information from the defendant, or that he ha[d] been the victim of fraud or identity theft.” Thus, “[g]iven the clear directive in Spokeo,” the court found that the complaint must be dismissed for failure to allege a concrete harm.

In an article written by Jenner & Block Partner E. Lynn Grayson and Ramboll Environ Senior Manager Gary P. Kjelleren, the authors examine environmental sustainability and why it matters for business. The article details key environmental sustainability focus areas and outlines a road map of essential considerations that companies should incorporate into any environmental stewardship initiatives. Grayson and Kjelleren conclude that there is a business case for environmental sustainability that will improve financial performance.

Last week, Judge Gonzalo Curiel of the Southern District of California dismissed a lawsuit alleging that MillerCoors falsely marketed Blue Moon as “craft beer” and denied the plaintiffs leave to amend. The plaintiffs alleged that Blue Moon was not a “craft beer” because it did not satisfy either the dictionary definition of a “craft beer” or the definition used by the Brewers Association, a trade association of independent brewers. The plaintiffs then alleged that MillerCoors deceived consumers into believing Blue Moon was a craft beer by concealing that it was manufactured by MillerCoors, creating advertisements that suggested that it was brewed in a small brewery, requiring that it be stocked with other “craft beers” in stores and restaurants, and charging a premium price to suggest that it was of higher quality than MillerCoors’ other offerings.

Ransomware attacks are on the rise in 2016, and corporations need to be aware of how to protect themselves. Ransomware is a type of cyberattack involving malware that encrypts files, databases, and other caches of information on a single computer or an entire network. Once the files are encrypted, hackers demand a ransom payment in exchange for a key to decrypt the data, otherwise the data is destroyed.

In the first three months of 2016, ransomware victims paid over $209 million in ransom, compared to $25 million in all of 2015. At least 18 healthcare providers and dozens of state and local governments, police departments, and schools have been publicly attacked by ransomware in the last year, with countless other businesses having handled unreported attacks.

The key to preventing a ransomware attack is understanding what your “crown jewels” are and how they are protected. Companies should develop a multi-tiered cybersecurity plan, which can include segmenting your computer network, updating your system with the latest patches, and restricting the ability of users to install and run new software. Your workforce is often the weakest link through which ransomware can attack, because ransomware infects networks usually after an employee opens a malicious attachment or clicks on a link in a phishing email. Educating your workforce to recognize and report malicious links and attachments is an effective means of avoiding ransomware attacks.

There are also important strategies to minimize the impact of ransomware attacks if they occur. Companies should engage in incremental system backups that are stored off network, so that up-to-date data can be restored quickly in the event of an attack. And companies should consider cybersecurity insurance options to help cover financial losses associated with paying the ransom, or lost business before systems can be restored.

Ultimately, by having mature information governance and training your workforce to be aware of the dangers, companies can overcome the growing threat of ransomware.

Thanks to summer associate McKaye Neumeister for assistance in the blog post.

The plaintiff in Demmler v. ACH Food Companies, Inc. alleged that Weber BBQ sauces containing caramel color were falsely labeled as “All Natural.” Prior to initiating the lawsuit, and pursuant to state statute, plaintiff’s counsel sent a demand letter asserting that the “All Natural” label violated Massachusetts law and demanding compensation to the plaintiff and the class. ACH responded by sending a $75 check, characterized as “the extent of [ACH’s] willingness to compromise in the circumstances.” The plaintiff rejected the check on the ground that it offered no relief to the class, and filed a complaint. ACH subsequently tendered a second $75 check, which the plaintiff again rejected, and moved to dismiss the lawsuit for lack of standing.

Notwithstanding the plaintiff’s express rejection of the checks, the court held that the defendant’s offer extinguished the dispute, leaving the parties without a live “case or controversy” as mandated by Article III. In distinguishing the Supreme Court’s opinion in Campbell-Ewald, the court emphasized that “the $75 check did not represent a settlement offer—ACH sent the check unprompted, and did not impose any preconditions on Demmler for doing so,” asserting that “[t]his distinction makes all the difference.” Although it noted that the first check was issued before the complaint was filed (and therefore arguably implicated the plaintiff’s standing), while the second check was issued during the pendency of the lawsuit (and therefore arguably implicated the mootness doctrine), the court declined to distinguish between the two offers.

This latest opinion confirms that the debate over whether an individual settlement offer can moot a class action is far from over.

Three named plaintiffs, on behalf of a class of Illinois residents, brought suit against Facebook under the Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1/ et seq. (“BIPA”), alleging that Facebook violated BIPA by amassing biometric data to fuel its “Tag Suggestions” program without their consent. Plaintiffs alleged in their complaint that the Tag Suggestions program uses state-of-the-art facial recognition technology to scan photographs uploaded to Facebook and identify individuals who appear therein by name for the user. BIPA, passed back in 2008, is an Illinois statute that governs a private entity’s retention, collection, disclosure and destruction of information about a “biometric identifier” – defined in the statute as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” – biometric identifiers used for identification purposes. The consolidated matter was transferred from the Northern District of Illinois to the Northern District of California, where Facebook resides, based on a venue-selection clause in the Facebook user agreement.

As threatened earlier this year, the Hamburg Data Protection Commissioner Johannes Caspar has announced enforcement actions against a handful of multinational companies for non-compliance with German data protection law. After the Schrems decision in the European Court of Justice in October 2015 that invalidated US-EU Safe Harbor as a valid data transfer mechanism from the EU to the U.S., the Article 29 Working Party – a collective of the individual EU Member States’ Data Protection Authorities (DPAs) – announced an enforcement grace period to allow companies to get into compliance with other data transfer mechanisms, such as Model Contracts or Binding Corporate Rules. Caspar and his office have since audited 35 multinational companies operating in Hamburg. The enforcement actions, and the administrative fines levied therein, are related to the earlier audits, but may not be the end of the DPA’s investigations.

The Hamburg enforcement actions are the first enforcement actions made public against U.S. companies that did not update their data transfer compliance in a timely fashion, but they certainly will not be the last. Companies should anticipate enforcement actions for non-compliance from other DPAs.

On June 2, 2016, the Consumer Financial Protection Bureau (CFPB) proposed a set of rules restricting payday lending. Payday loans are typically high-interest loans made to low-income borrowers who need cash quickly and borrow money against their next paychecks. There are about 16,000 payday lenders operating online and in stores across over 30 states. Among other things, the CFPB’s proposed rules will require lenders to verify prospective borrowers’ income, limit how many times borrowers can take new payday loans to pay off existing ones, and cap interest rates on longer-term loans. Lenders have stated that the proposed rules would force many of them out of business and eliminate a short-term credit option for borrowers who cannot obtain loans from mainstream banks. Consumer advocate groups, on the other hand, believe that the new rules are necessary and arguably should be stricter. In the next several months, the CFPB will review comments to its proposal and then issue a set of final regulations. News of these rules has been widely covered, including by The New York Times (“Payday Loans’ Debt Spiral to Be Curtailed”) and Fortune (“New Rules Could Dramatically Alter the Payday Loan Market”), among others.

In Korea Week , Inc. v. Got Capital, LLC, the Eastern District of Pennsylvania (Kearney, J.) held that a freestanding class action waiver—that is, a waiver that was “independent and outside of an arbitration agreement”—was enforceable and that it rendered the plaintiffs inadequate class representatives. The plaintiffs, a group of Asian-American small businesses who entered into merchant cash advance (“MCA”) financing arrangements with the defendants, alleged that the defendants were engaged in loan sharking, predatory lending, and money laundering. Those small business owners asserted civil RICO claims on behalf of a putative class of small businesses that obtained similar financing arrangements. Each of the named plaintiffs’ MCA agreements included a clause stating that the plaintiff “waives any right to assert any claims against [the defendant] as a representative or member in any class or representative action.” The court held that this language precluded the plaintiffs from serving as adequate class representatives. In so doing, the court rejected the plaintiffs’ argument that a class action waiver is substantively unconscionable when executed outside the context of an arbitration clause. The court rejected the argument that the Supreme Court’s decision in American Express Co. v. Italian Colors Restaurant was “limited to arbitration agreements with class action waivers,” as opposed to freestanding waivers executed outside the context of an arbitration agreement. Instead, it determined that such a waiver is enforceable so long as (1) the waiver is not “unconscionable under the applicable state law” and (2) there is no evidence of “legislative intent or policy reasons weighing against enforcement of such a waiver.” Applying this test, the court held that the waiver was enforceable. It held that there was no evidence that the waiver was either procedurally or substantively unconscionable, nor “any reason to interpret RICO as encouraging class actions.” Accordingly, because “each of the named plaintiffs agreed not to file a class action,” the court concluded that “they cannot now be the named plaintiffs charged with representing unnamed merchants” and denied class certification.

In Allen v. Boeing Co., the court ended a two-year cycle of removal, remand and appeal under the Class Action Fairness Act (“CAFA”). Jocelyn Allen and a group of over 100 Washington property owners sued The Boeing Company (a Delaware Co.) in Washington State Court for alleged environmental damage from contaminated groundwater caused by Boeing’s use of hazardous solvents dating back to the 1960s. Plaintiffs also brought a claim against Landau Associates, Inc., a Washington-based environmental-remediation contractor who was hired in 2002, for negligence in remediating the contamination. Boeing removed the matter to federal court as a “mass action” pursuant to the CAFA. 28 U.S.C. §1332(d)(11)(B). Since then, the parties have been arguing about whether certain exceptions under the CAFA apply. On this third trip to appellate court (and second trip to the Ninth Circuit), the question presented was whether the district court properly remanded the matter to state court pursuant to the CAFA’s “local controversy” exception. The local controversy exception provides that federal courts “shall” decline jurisdiction for “truly local” controversies – meaning those where (1) more than 2/3 of the proposed plaintiffs are citizens of the filing state; (2) plaintiffs seek “significant relief” against at least one in-state defendant whose conduct is a “significant basis” for the asserted claims; (3) the “principal injuries” were incurred in the forum state; and (4) no similar class action has been filed within the last three years. 28 U.S.C. § 1332(d)(4)(A). Boeing argued on appeal that Landau’s conduct, and the relief sought from Landau, was not “significant” compared to Boeing’s. Boeing argued that Plaintiffs failed to distinguish between the relative involvement of Boeing and Landau, and failed to specify the division of damages sought against the two defendants. If they had done so, Boeing argued, it would have been clear that Landau was an isolated player that arrived on the scene decades after the groundwater was allegedly contaminated, and that Landau’s exposure to liability was insignificant in comparison to Boeing’s. The court held that a determination about the respective abilities of the defendants to satisfy a judgment would result in an improper “mini-trial on the merits.” Further, the fact that Landau was one of only two defendants and that Plaintiffs asserted separate claims against Landau for its conduct made it “significant.” The Ninth Circuit affirmed the district court’s remand order, sending the matter back to remain in state court.